diff --git a/dbTools/profile.js b/dbTools/profile.js index 9d186c4..6693d94 100644 --- a/dbTools/profile.js +++ b/dbTools/profile.js @@ -199,6 +199,12 @@ userDB = (DB) => { return g ? g.isPrivate : false; } + DB.isOwnerOfGroup = async (profileid, groupid) => { + let profile = await DB.getProfileCache(profileid); + let group = userProfileCache[groupid] ? userProfileCache[groupid] : await DB.getGroup(groupid); + return profile.userid == group.userid; + } + DB.getGroup = async (groupid) => { const _id = DB.ObjectID(groupid); //if(userProfileCache[groupid]) return userProfileCache[groupid]; @@ -238,7 +244,7 @@ userDB = (DB) => { } DB.followProfile(profileid, groupid) delete userProfileCache[groupid]; - return DB.profileCols.updateOne({_id}, update).then(console.log).catch((err)=>{ + return DB.profileCols.updateOne({_id}, update).catch((err)=>{ console.log(err); return false; }); diff --git a/routes/profile.js b/routes/profile.js index 9f1e7cb..ecee287 100644 --- a/routes/profile.js +++ b/routes/profile.js @@ -95,7 +95,6 @@ DB.getDB.then((DB)=>{ isGroup: true, ... req.body }; - console.log("newGroup", profile) let profileObj = new Profile(profile); DB.newProfile(profileObj) return res.json({ @@ -116,8 +115,14 @@ DB.getDB.then((DB)=>{ //This function should be called to accept the join request //of an user that attempt to join a private group. const groupid = getProfileId(req); //It needs to have this profile context + const groupidBody = req.body.groupid ? DB.ObjectID(req.body.groupid) : undefined; + if(groupidBody && groupid != groupidBody && !DB.isOwnerOfGroup(groupid, groupidBody)){ + return res.json({ + status: "Only group owner can accept new subscribers" + }); + } const profileAcepted = DB.ObjectID(req.body.profileid); - DB.acceptGroupJoinReq(profileAcepted, groupid); + DB.acceptGroupJoinReq(profileAcepted, groupidBody || groupid); //Add Notification to accepted user return res.json({ status: "ok"